Re: tar preserves setuid bit

To: Neil McKellar <mckellar@xxxxxxxxxxxxxxx>, bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: tar preserves setuid bit
From: Imran Ghory <imranghory@xxxxxxxxx>
Date: Fri, 5 Aug 2005 22:58:07 +0100
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=srSBxj06m1BDxVBL+f00kzENfC5wAOCG3z/BsVZoiSJhQdOVDdyJpKmAPqyprYtDOiHjY7VLm284lGIGgroqD+ifoq2zez9FJddEfaGQOmq84kkFhwZHvy6rucI4wN8Hwvn65oYibtNPR3WijCrMtu6B4CVWLNITjy3t7Lq4VIk=
In-reply-to: <1123277644.42f3db4c4ef9f@xxxxxxxxxxxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <7389fc4b05080416526bee4bd3@xxxxxxxxxxxxxx> <1123277644.42f3db4c4ef9f@xxxxxxxxxxxxxxxxxxxxxxx>
Reply-to: Imran Ghory <imranghory@xxxxxxxxx>

On 8/5/05, Neil McKellar <mckellar@xxxxxxxxxxxxxxx> wrote:
> Imran Ghory <imranghory@xxxxxxxxx> wrote:
> > If running as the root user tar restores the original permissions to
> > extracted files, this includes the setuid bit. No warning is given to
> > the user that this has happened.
> 
> From the default man page for tar:
> 
>     The owner, modification time, and mode are restored (if possible);
> 
> This isn't specific to GNU, it's *expected behaviour* for every version of 
> tar.
>  In fact, a failure to conform to this behaviour breaks essential 
> functionality
> of tar. 

I'm not saying that it shouldn't have the behaviour, rather that it
should warn the user.

Howeber the only reason I posted this "bug" was because a number of
unix/linux vendors have decided that the same issue in unzip (which I
cited earlier : CAN-2005-0602) should be considered a vulnerability
and have issued patches to change the behaviour. Hence they may (or
may not) decide to take similar action with tar,

> What part of 'Tape ARchive' wasn't clear?  Would you be happy if your backup 
> and
> restore procedures failed to actually restore files in their original 
> condition?

The number of people who use tar for archival purposes is minimal
compared to those who use it for distribution purposes. Of course you
could argue that misusing an archival tool as a distribution tool is
the source of this potential problem, but the fact is that it is used
for distribution purposes and thus is a potentinal attack vector.

Imran Ghory

Follow-Ups:
- Re: tar preserves setuid bit
  - From: Jeremy C. Reed

References:
- tar preserves setuid bit
  - From: Imran Ghory
- Re: tar preserves setuid bit
  - From: Neil McKellar

Prev by Date: Re: Zip 2,31 bad default file-permissions vulnerability
Next by Date: Re: Defeating Citi-Bank Virtual Keyboard Protection
Previous by thread: Re: tar preserves setuid bit
Next by thread: Re: tar preserves setuid bit
Index(es):
- Date
- Thread